** On May 13, Steve Langasek scribbled: [snip] > > Important programs, including those which one would expect to find on any > > Unix-like system. If the expectation is that an experienced Unix person who > > found it missing would say `What on earth is going on, where is foo?', it > > must be an important package. [4] Other packages without which the system > > will not run well or be usable must also have priority important. This does > > not include Emacs, the X Window System, TeX or any other large > > applications. The important packages are just a bare minimum of > > commonly-expected and necessary tools. > > > Experienced UNIX people [not necessarily experienced Debian people] will > > become confused and critical when somethinglike the above are missing. > > I would expect an experienced UNIX user to react this way upon finding that > the ftp and finger *clients* were missing from the system, but not when > finding that the *servers* are missing. I'd be surprised if all (or even > most) proprietary Unices shipped with a finger daemon installed, and it's not > at all uncommon to find Unix systems that have fingerd and ftpd disabled. Especially that in some countries (e.g. Poland) it is forbidden by law to expose information about users (i.e. name, surname etc.) without their consent. fingerd (despite being possibly dangerous and vulnerable) exposes that information and thus clearly breaks the law in certain countries. Now, one may argue whether it is up to the admin to take care of such situation and configure the daemon, but removing fingerd would not hurt anyone really badly, IMHO. An alternative might be to replace fingerd with a more capable daemon (like cfingerd - also not perfectly safe, but IMHO better than fingerd) configured so that the information is not set out to the externally connected finger client. I personally second the idea of removing it from the set of standard packages. > I think an ftp server ought to be provided by default, but the question then > becomes 'which one?' We do want the distro to be as secure as possible by I agree. > default. I think the fact that ftp is a plaintext protocol isn't enough > reason to demote the daemon's priority, but the fact that many ftp daemons > have dubious security histories makes it important to choose one we trust to > be secure (since we're talking about packages that are installed on all > Debian systems, not just those run by admins who keep an eye on > security.debian.org). I agree completely. The ftpd daemon is used on most unix systems, we should therefore provide it - but some better one than the currently chosen ftpd (vsftpd? BSD ftpd?) TTL, marek -- Visit: http://caudium.net - the Caudium WebServer /* A completely unrelated fortune */ To err is human, to purr feline. To err is human, two curs canine. To err is human, to moo bovine.
Attachment:
pgp5XIQgX9O9I.pgp
Description: PGP signature